Global Accelerator:Accelerate domain names hosted outside the Chinese mainland

Procedure

Step 1: Create a GTM instance

GTM is a traffic management service that allows you to manage network traffic from clients in a fine-grained way.

To create a GTM instance, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.

2. In the left-side navigation pane, click Global Traffic Manager.

3. On the Global Traffic Manager page, click Create Instance.

4. On the buy page, set the following parameters.

   1. Edition: You can select Standard Edition or Ultimate Edition. In this example, Standard Edition is selected.

   2. Quantity: The number of GTM instances that you want to purchase.

   3. Service Time: The service duration of the GTM instance.

5. Click Buy Now and complete the payment.

Step 2: Configure an access policy

Access policies allow GA to forward requests from different access points to different origin servers. You can also specify secondary origin servers to meet your business demands.

To configure an access policy for GTM, perform the following steps:

1. Log on to the Alibaba Cloud DNS console.

2. In the left-side navigation pane, click Global Traffic Manager.

3. On the Global Traffic Manager page, find the GTM instance that you want to manage, and click Configure in the Actions column.

4. In the Select Configuration Method dialog box, select Quick Start.

5. In the Configure Access Policy step, set the following parameters:

   1. Policy Name: Enter a name for the access policy.

   2. DNS Request Source: Select a request source.

      After you specify a region as the request source, when users in this region send requests to the service, GTM distributes the requests to the specified origin server address pool. Global is selected in this example.

   3. Primary Address Pool Set: Click the Primary Address Pool Set tab.

      Primary Address Pool Set specifies the address pool of backend servers to which GTM forwards user traffic.

      Click Create Address Pool and add the IP addresses of Origin Server 1 and Origin Server 2 in the US (Silicon Valley) region to the primary address pool. Then, configure health checks and select the primary address pool. For more information about health check configurations, see TCP health check.

   4. Secondary Address Pool Set: Click Secondary Address Pool Set.

      Secondary Address Pool Set specifies the address pool that takes over when the primary address pool specified by Primary Address Pool Set is unavailable.

      Click Create Address Pool and add Origin Server 3 and Origin Server 4 in the US (Silicon Valley) region to the secondary address pool. Then, configure health checks and select the secondary address pool. For more information about health check configurations, see TCP health check.

6. Click Next.

Step 3: Configure basic information

After you configure the access policy, you must specify the basic information about the GTM instance. The information includes the domain name, CNAME, global time-to-live (TTL) value, and alert group.

To configure the basic information about GTM, perform the following steps:

1. In the Configure Basic Settings wizard, set the following parameters:

   1. Instance Name: Enter an instance name.

      An instance name is used to identify the service to which the instance applies.

   2. Business Domain Name(Internet): Enter a domain name to be accessed by the client. www.example.us is used in this example.

   3. CNAME(Internet): Specify the type of the CNAME.

      • Assigned CNAME: Select this option if the IP address pool contains only Alibaba Cloud IP addresses or IP addresses outside mainland China.

      • Custom CNAME: Select this option if the IP address pool contains IP addresses of data centers.

      In this example, the address pool contains only EIPs. Therefore, Assigned CNAME is selected in this example.

   4. Global TTL Period: The validity period of the IP address to which the domain name is resolved. 1 Minutes is selected in this example.

      You can use GTM to manage network traffic based on domain names. Global TTL specifies the TTL of the IP address that is cached in the DNS system of the Internet service provider (ISP). By default, the global TTL is set to 1 minute. If you use a custom domain name, the global TTL must be the same as the minimum TTL supported by the DNS plan of the custom domain name.

   5. Alert Group: the contact group to which a notification is sent when an exception is detected in your workloads.

      Note

      • If you have not configured an alert group, log on to the CloudMonitor console and add a contact group. For more information, see Create an alert contact or alert contact group.

      • If you have configured a contact group but want to configure the basic information as a Resource Access Management (RAM) user, you must first use your Alibaba Cloud account to authorize the RAM user. After the RAM user is authorized, you can log on as a RAM user to read messages sent to the alert group.

2. Click Complete.

After you configure the basic information, the system automatically allocates a CNAME to the domain name. User requests destined for the CNAME are resolved to the IP address of the scheduled origin server.

Step 4: Activate WAF

WAF provides security protection based on big data technologies of Alibaba Cloud Security. It defends against common attacks defined by Open Web Application Security Project (OWASP), including SQL injections, Cross-Site Scripting (XSS) attacks, exploits of vulnerabilities in web server plug-ins, Trojan uploads, and unauthorized access to core resources. WAF blocks volumetric HTTP flood attacks to prevent the exposure of website assets and data, and to ensure website security and availability.

This step describes how to purchase a subscription WAF instance.

1. Enter the WAF product overview page on the Alibaba Cloud official website, and log on with your Alibaba Cloud account.

2. Click Buy Now.

3. On the Web Application Firewall buy page, set the following parameters.

   1. Region: Select the region where the WAF instance is deployed.

      In this example, the WAF instance is deployed in the US (Silicon Valley) region. Therefore, Outside Chinese Mainland is selected.

   2. Deployment: Select a plan for WAF. On-cloud WAF is selected in this example.

   3. Edition: Select the edition of WAF that you want to activate.

      Different WAF editions are applicable to various business scales and provide different protection features. For more information, see WAF deployment plans and editions. Enterprise is selected in this example.

   4. Extra Domains: Specify the number of additional domain names.

      If you want to add multiple domains or more than 10 subdomains to WAF, you can purchase additional domain names. For more information, see Additional domain names. Additional domain names are not purchased in this example.

   5. Exclusive IP Address: Specify the number of exclusive IP addresses.

      You can purchase an exclusive IP address when your domain name needs WAF protection through an exclusive IP address. For more information, see Exclusive IP addresses. Exclusive IP addresses are not purchased in this example.

   6. Extra Traffic: Specify the additional bandwidth value. Unit: Mbit/s.

      If you require additional bandwidth, you can purchase an additional bandwidth plan. For more information, see Additional bandwidth plans. 100Mbps is selected in this example.

   7. Intelligent Load Balancing: Select whether to enable global load balancing.

      Global load balancing uses the multi-node resilience technology. It distributes network traffic based on multiple nodes or lines to implement disaster recovery and improve service reliability. Disable is selected in this example.

   8. Log Service: Select whether to activate Log Service.

      Log Service retrieves log data from WAF in real time and then stores the data in Logstores. You can query and analyze the log data, and generate analytic reports online. Disable is selected in this example.

   9. Bot Management: Select whether to enable this feature.

      To mitigate security threats caused by bot traffic, you can enable this feature. For more information, see Configure bot threat intelligence rules and Configure the allowed crawlers function. Disable is selected in this example.

   10. App Protection: Select whether to enable this feature.

       You can enable this feature if your business supports mobile applications and you have security requirements for your business, such as trusted communication and prevention of bot scripts. For more information, see Configure application protection. Disable is selected in this example.

   11. Data Visualization: Specify the type of data visualization.

       You can enable the data visualization feature to display and analyze the workloads and security status of your website. For more information, see Data visualization. Disabled is selected in this example.

   12. Subscription Duration: Select the duration of the WAF service.

4. Click Buy Now and pay for the order.

Step 5: Add website configurations

After WAF is activated, you must configure the forwarding rules for the website protected by WAF.

Perform the following steps to route user traffic to WAF before it reaches the domain name protected by WAF:

1. Log on to the Web Application Firewall console.

2. In the top navigation bar, select the region of your WAF instance. International is selected in this example.

3. In the left-side navigation pane, choose Asset Center > Website Access.

4. On the Website Access page, click Website Access.

5. Follow the Add Domain Name wizard to complete the configuration.

   1. Domain Name: Enter the domain name for which you want to enable WAF protection. www.example.us is used in this example.

      Note

      • You can enter a specific domain name, such as www.aliyun.com, or a wildcard domain name, such as *.aliyun.com.

        • If you use a wildcard domain name, WAF automatically searches for domain names that match the specified wildcard domain name.

        • If you enter a wildcard domain name and a specific domain name, WAF uses the forwarding rules and protection rules for the specific domain name.

      • .edu domain names are not supported. If you need to use .edu domain names, join the DingTalk group (group ID: 21715946) for technical support..

   2. Protocol Type: Select the protocol that your website supports. HTTP is selected in this example.

      Note

      • If your website supports HTTPS, select HTTPS, and upload the certificate and the private key file after you set website parameters. For more information, see Add a domain name to WAF.

      • After you select HTTPS, click Advanced Settings to enable the HTTP force redirect and HTTP back-to-origin features to ensure efficient access to your website. For more information, see Add a domain name to WAF.

      • To enable protection for HTTP 2.0 requests, make sure that the following requirements are met:

        • Your WAF service is upgraded to Business or Enterprise Edition.

        • HTTPS is selected.

   3. Destination Server (IP Address): Select a server address type and enter the address of the origin server.

      You can select IP or Domain Name (Such as CNAME). After your website is connected to WAF, WAF filters and redirects requests to the specified address. In this example, Domain Name (Such as CNAME) is selected, and the CNAME that is assigned to GTM after you configure the basic information in Step 3 is used. For more information, see Step 3: Configure basic information.

   4. Destination Server Port: Specify the service port of the website.

      WAF receives and forwards traffic to your website through the specified ports. The user traffic destined for the website domain name is forwarded only through the specified service ports. For unspecified ports, WAF does not forward traffic received on these ports to the origin servers. Therefore, no security threats are posed on the origin servers if you enable these ports or if these ports have vulnerabilities.

      Important

      The protocol and port must be the same as those of the origin server IP address. You cannot change the port after it is specified.

      The custom port 9000 is specified in this example.

      Note

      By default, WAF supports the following ports: HTTP ports 80 and 8080, and HTTPS ports 443 and 8443. WAF instances of Business Edition and Enterprise Edition support more non-standard ports, and have corresponding limits on the total number of ports used by the protected domain name. For more information, see View the ports supported by WAF.

   5. Load Balancing Algorithm: If multiple origin server IP addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm for load balancing.

   6. Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes or No based on the actual status of your website. Yes is selected in this example.

   7. Enable Traffic Mark: Specify whether to enable the traffic mark feature. If you want to mark requests that pass through WAF, you can enable this feature. After you enable this feature, requests that pass through WAF are marked and other requests are not marked. When you enable this feature, you must specify a custom HTTP header field. The header field consists of Header Name and Header Value. This feature is enabled in this example.

      Note

      Do not specify a standard HTTP header field, such as User-Agent. Otherwise, the value of the standard header field is overwritten by the custom field value.

6. Click Next. On the Add Domain Name page, click Copy CNAME to record the CNAME of WAF.

   

7. Click Next to view the WAF IP address, and then click Completed. Return to the website list.

Step 6: Create a GA instance

1. Log on to the GA console.

2. On the Instances page, click Create Instance.

3. On the buy page, configure the parameters, click Buy Now, and then complete the payment.

   Parameter	Description
   Instance Type	Select Standard Instance.
   Instance Type	Select the specification of the standard GA instance. In this example, Medium Ⅰ is selected. For more information about the specifications supported by standard GA instances, see Specifications of standard GA instances.
   Accelerated IP Address Type	By default, EIP is selected.
   Bandwidth Billing Method	By default, Pay-By-Bandwidth is selected.
   Resource Group	Select the resource group to which the standard GA instance belongs. The resource group must be a resource group created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.
   Subscription Duration	Select the subscription duration of the standard GA instance. Select Auto-renewal. (Make sure that your account balance is sufficient.) to enable the auto-renewal feature.
   Coupon	Specify whether to use coupons. By default, Do Not Use Coupons is selected. You can also select a coupon from the drop-down list.
   Terms of Service	Read and select the Terms of Service.

Step 7: Purchase and associate with a basic bandwidth plan

A basic bandwidth plan provides bandwidth for data transmission over the Internet and within Alibaba Cloud. To achieve global acceleration, you must purchase a basic bandwidth plan and bind the plan to the GA instance.

1. On the Instances page, click Purchase Basic Bandwidth Plan.

2. On the buy page, set the following parameters, click Buy Now, and then pay for the order.

   1. Bandwidth Type: Select the type of the basic bandwidth plan.

      In this example, the domain name of the origin server is registered outside China and cannot be hosted on servers in the Chinese mainland. Premium is selected to allow users in the Chinese mainland to access the web services deployed in the US (Silicon Valley) region through the premium Internet in Hong Kong.

      The following types of bandwidth are supported by basic bandwidth plans: basic, enhanced, and premium. The acceleration type, accelerated endpoint, and acceleration scope of a basic bandwidth plan vary based on the bandwidth type, as described in the following table.

      Bandwidth type	Acceleration type	Accelerated endpoint	Acceleration scope
      Basic	Applications deployed on Alibaba Cloud	Standard GA instance: Public IP addresses provided by Alibaba Cloud Elastic Compute Service (ECS) instances Elastic network interfaces (ENIs) Classic Load Balancer (CLB) (formerly known as SLB) instances Application Load Balancer (ALB) instances Network Load Balancer (NLB) instances Object Storage Service (OSS) buckets vSwitches Basic GA instance: CLB instances Secondary ENIs ECS instances NLB instances	By default, the acceleration area and the area where the endpoint is deployed are located in the Chinese mainland.
      Enhanced	Applications deployed on Alibaba Cloud Applications deployed outside Alibaba Cloud	Standard GA instance: Public IP addresses provided by Alibaba Cloud ECS instances ENIs CLB instances ALB instances NLB instances OSS buckets vSwitches Custom IP addresses Custom domain names Basic GA instance: N/A	By default, the acceleration area and the area where the endpoint is deployed are located in the Chinese mainland.
      Premium	Applications deployed on Alibaba Cloud Applications deployed outside Alibaba Cloud	Standard GA instance: Public IP addresses provided by Alibaba Cloud ECS instances ENIs CLB instances ALB instances NLB instances OSS buckets vSwitches Custom IP addresses Custom domain names Basic GA instance: CLB instances Secondary ENIs ECS instances NLB instances	By default, the acceleration area and the area where the endpoint is deployed are located outside the Chinese mainland. If you want to accelerate data transfer between the Chinese mainland and other areas, you must select China (Hong Kong) as the acceleration region.

      Note

      • You can associate only basic bandwidth plans that provide basic bandwidth or premium bandwidth with basic GA instances that use the pay-by-bandwidth bandwidth metering method.

      • For information about backend service types, see Overview and Add and manage endpoint groups and endpoints for a basic GA instance.

   2. Peak Bandwidth: Specify the maximum bandwidth of the basic bandwidth plan. In this example, 10 Mbit/s is specified.

   3. Resource Group: Select the resource group to which the basic bandwidth plan belongs.

      The resource group must be a resource group created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.

   4. Duration: Select the duration of the basic bandwidth plan.

3. Return to the Instances page and click the ID of the GA instance that you created in Step 1.
4. On the page that appears, click the Bandwidth Manage tab.

5. In the Basic Bandwidth Plan section, click Associate the instance with a basic bandwidth plan.

6. In the Associate Basic Bandwidth Plan dialog box, set the following parameters and click OK.

   • Resource Group: Select the resource group to which the basic bandwidth plan belongs.

   • Associate Basic Bandwidth Plan: Select a basic bandwidth plan from the drop-down list.

   After the basic bandwidth plan is associated with the GA instance, the status of the basic bandwidth plan changes to In Use.

Step 8: Add an area that you want to accelerate

After you purchase a basic bandwidth plan, you can add an acceleration area, specify the acceleration regions where end users are located, and allocate bandwidth to these regions.

1. On the Instances page, click the ID of the GA instance that you created in Step 6: Create a GA instance.

2. On the instance details page, click the Acceleration Regions tab and select the region where you want to accelerate access. In this example, Asia Pacific is selected.

3. On the Acceleration Areas tab, click Add Acceleration Area.

4. In the Add Acceleration Area dialog box, set the following parameters and click OK.

   1. Select Acceleration Region: Select the region where users are located. In this example, select China (Hong Kong) and click Add.

   2. Bandwidth: Specify a maximum bandwidth value for the acceleration region. 10 Mbit/s is specified in this example.

   3. IP Protocol: Select the IP version of the clients that use GA. IPv4 is selected in this example.

After the area to be accelerated is added, GA assigns an accelerated IP address to each acceleration area to accelerate access to the domain name.

Step 9: Create a listener

A listener is used to check requests from clients. The system forwards requests based on the specified protocol and port.

1. On the Instances page, click the ID of the GA instance that you created in Step 6: Create a GA instance.

2. On the Listeners tab, click Add Listener.
3. In the Configure Listener & Protocol step of the Add Listener wizard, configure the following parameters. Then, click Next.

   Parameter	Description
   Listener Name	Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
   Protocol	Select a protocol for the listener. In this example, TCP is selected.
   Port Number	Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. In this example, 9000 is used.
   Client Affinity	Specify whether to enable client affinity. If client affinity is enabled, requests from the same client can be directed to the same endpoint when the client accesses a stateful application. In this example, Source IP Address is selected.

Step 10: Configure an endpoint group

1. Enter a name for the endpoint group in the Endpoint Group Name field.

2. Select the region to which the endpoint group and backend servers belong.

   In this example, network traffic is forwarded to WAF. Therefore, United States (Silicon Valley) is selected.

3. Specify whether to deploy the backend service on Alibaba Cloud. Off Alibaba Cloud is selected in this example.

4. Specify whether to preserve client IP addresses. After you enable this feature, backend servers can retrieve client IP addresses. This feature is disabled in this example.

5. Configure endpoints.

   1. Backend Service Type: Select Custom Domain Name from the drop-down list.

   2. Backend Service: Enter the CNAME assigned by WAF after you set website parameters in Step 5. For more information, see Step 5: Add website configurations.

   3. Weight: Enter the weight of the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on their weights.

      Warning

      If you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.

6. Click Next, confirm the configurations, and then click Next.

Step 11: Activate the Anti-DDoS Premium service

You can use Anti-DDoS Premium to mitigate DDoS attacks against servers deployed outside the Chinese mainland. Anti-DDoS Premium filters out attack traffic in scrubbing centers that are deployed nearest to visitors and forwards only service traffic back to the origin server. This ensures the stability of your workloads.

To purchase an Anti-DDoS Premium instance, perform the following steps:

1. Log on to the Anti-DDoS Pro console.
2. On the Instances page, click Purchase Instances.

3. On the buy page, set the following parameters.

   1. Product Type: Select Anti-DDoS Premium.

   2. Plan: Select a mitigation plan for the Anti-DDoS Premium instance that you want to purchase.

      • For more information about Insurance and Unlimited mitigation plans, see Billing of Anti-DDoS Premium of the Insurance and Unlimited mitigation plans.

      • For more information about Mainland China Access (MCA), see Billing of Anti-DDoS Premium of the CMA mitigation plan.

      The Unlimited plan is selected in this example.

   3. Clean Bandwidth: Select the bandwidth value of the Anti-DDoS Premium instance.

      The value specifies the maximum traffic load of an Anti-DDoS instance when the instance is not under attack. 100Mbps is selected in this example.

   4. Function Plan: Select a plan.

      You can select Standard Function or Enhanced Function. For more information about the differences between Standard Function and Enhanced Function, see Function plan. Enhanced Function is selected in this example.

   5. Domains: Select the number of HTTP/HTTPS domain names that can be protected by the instance.

      For more information about the number of protected domain names, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance. 10 is selected in this example.

   6. Clean QPS: Set the queries per second (QPS).

      This parameter specifies the maximum number of concurrent HTTP or HTTPS requests that the instance can process when no attack occurs. 3000 is selected in this example.

   7. Ports: Select the number of supported ports.

      The number of protected ports equals the maximum number of entries supported for TCP/UDP forwarding. 50 is selected in this example.

   8. Quantity: Select the number of instances that you want to purchase.

   9. Subscription: Select the subscription period of the Anti-DDoS Premium instance.

4. Click Buy Now to complete the payment.

Step 12: Add a website

The configurations of a website specified in the Anti-DDoS Pro console define how network traffic is transmitted between a website and an Anti-DDoS Pro instance.

Follow these steps to add the website that needs protection to Anti-DDoS Pro:

1. Log on to the Anti-DDoS Pro console.

2. In the top status bar, select the region where the service is deployed. Outside Mainland China is selected in this example.

3. In the left-side navigation pane, choose Provisioning > Website Config.
4. On the Website Config page, click Add Domain.

5. On the Add Domain page, enter the website information.

   1. Function Plan: Select a plan for the Anti-DDoS Premium instance that you want to associate with your website.

      Standard and Enhanced are available. For more information, see Function plan. Enhanced Function is selected in this example.

   2. Instance: Select the Anti-DDoS Pro instance to be associated. You can select up to eight instances for one domain. The instances associated with a domain must use the same function plan.

   3. Domain: Enter the website domain name that requires protection. www.example.us is used in this example.

   4. Protocol: Select the protocols supported by the website. By default, HTTP and HTTPS are selected. This topic uses the default setting.

   5. Server IP: Specify the address type and address of the origin server. In this example, Origin Server IP is selected, and the accelerated IP address is used. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the acceleration area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.

   6. Server Port: Specify a server port based on the protocol type. In this topic, 9000 is used.

6. Click Add.

Step 13: Set parameters of Sec-Traffic Manager

Anti-DDoS Pro provides Sec-Traffic Manager to set the interaction rules between Anti-DDoS Pro and other cloud resources. You can set rules to trigger and enable Anti-DDoS Pro in specific scenarios. This helps you keep workloads running smoothly if no DDoS attacks occur, and provides more effective protection when DDoS attacks occur.

To configure Sec-Traffic Manager, follow these steps:

1. Log on to the Anti-DDoS Pro console.

2. In the top navigation bar, select the region of the service. Outside Mainland China is selected in this example.

3. In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager.
4. On the Cloud Service Interaction tab, click Create Rule.

5. In the Create Rule panel, set the following parameters:

   1. Interaction Scenario: Select an interaction scenario for the rule. In this topic, select Cloud Service Interaction.
   2. Name: Enter the rule name.
      The name can be 1 to 128 characters in length and can contain letters, digits, and underscores (_).

   3. Anti-DDoS Instance IP: Select the Anti-DDoS instance with which you want to associate. In this topic, the Anti-DDoS Premium instance that you create in Step 11 is selected.

   4. Cloud Service: Select the region where the cloud resource is deployed, and then enter the IP address of the cloud resource.

      You can click Add Cloud Resource IP to add more IP addresses. You can add a maximum of 20 IP addresses.

      cn-hongkong is selected and the accelerated IP address is used in this example. The accelerated IP address is the one that the GA instance assigns to the China (Hong Kong) region after you add the accelerated area in Step 8. For more information, see Step 8: Add an area that you want to accelerate.

   5. The waiting time of switching back: The waiting time for triggering the switching back process after GA interacts with Anti-DDoS Premium.

      To prevent frequent traffic switchover and taking into account the time required for deactivating blackhole filtering, set the value to at least 30 minutes. The waiting time is set to 60 minutes in this example.

6. Click Next.

7. Click Finished.
   After a rule is created, Sec-Traffic Manager assigns a CNAME address to this rule.

Step 14: Resolve the domain name to Sec-Traffic Manager

To resolve the domain name to Sec-Traffic Manager, follow these steps:

1. Log on to the Alibaba Cloud DNS console.
2. On the Manage DNS page, find the target domain name, and click Configure in the Actions column.

3. On the DNS Settings page, click Add Record.

4. In the Add Record dialog box, configure the record, and click Confirm.

   1. Type: Select a record type.

      In this example, the website domain name is mapped to another domain name. Therefore, CNAME is selected.

   2. Host: Enter the prefix of the accelerated domain name.

      www is entered in this example.

   3. ISP Line: Select Default from the drop-down list.

   4. Value: Set this parameter to the CNAME assigned in Step 13. For more information, see Step 13: Set parameters of Sec-Traffic Manager.

   5. TTL: The TTL value of the IP address that is mapped to the specified domain name.

      10 minute(s) is selected in this example.

5. Repeat the preceding steps to add CNAME records for ISP lines provided by China Unicom, China Telecom, China Mobile, and China Education Network.

   

Step 15: Test the connectivity

In regions of the Chinese mainland, use a Windows operating system to test the performance of protection and acceleration provided by GA after GA interacts with Anti-DDoS Premium, WAF, and GTM.

1. The domain name www.example.us is hosted outside the Chinese mainland. Enter this domain name in the address bar of the browser to access the application deployed in the US (Silicon Valley) region.

2. Open the CLI, and run the nslookup <web service domain name> command to check the DNS resolution result.

   • When the origin server is not attacked, the IP address of the GA instance is returned.

   • When the origin server is under attack, the IP address of the Anti-DDoS Premium instance is returned.

3. Run the nslookup <CNAME access domain name in GTM> command to check the resolution result.

   • If the primary server group is available: The domain name is resolved to the IP address of Server 1 or Server 2. In this topic, the primary server group contains Server 1 and Server 2 that are deployed in the US (Silicon Valley) region.

   • If the primary server group is unavailable, the IP address of Server 3 or Server 4 is returned. In this topic, the primary server group contains Server 1 and Server 2 deployed in the US (Silicon Valley) region.

4. Run the following command to test the network latency:

   curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "http[s]://<the domain name of the web service>[:<port>]"

   where:

   • time_connect: the period of time to establish a TCP connection.
   • time_starttransfer: the period of time for the backend server to send the first byte after the client sends a request.
   • time_total: the period of time for the backend server to respond to the session after the client sends a request.